skip to primary navigationskip to content
 

Security and Protection

The following are transcripts of the videos available here: Stay Safe Online  

 

Financial Fraud via email forgery...

Scammers may impersonate someone you know using email to commit financial fraud. Be particularly wary of any email requesting money or any details about your financial credentials. This is one of the many types of scam you may face. An initial email requested a money transfer using a forged email address that appeared to be from the Head of Faculty. The recipient was Joanna, a busy administrator of the same faculty. Joanna sent a reply, but she didn't notice that the Reply-To address was to a gmail one and not the usual @cam address that the message appeared to come from. Joanna received another email, but she became suspicious so she consulted a member of the IT staff who advised that she call Professor Smith directly to confirm the transaction. It was a FINANCIAL SCAM. Be on your guard. Before responding to such an email, STOP! THINK! If unsure, consult your IT Officer as to whether the email is genuine. Also, contact the sender of the email by other means, for example over the phone or in person to confirm the transfer. This should also protect you in case the email address is genuine but it has been compromised by hackers. A little caution can avoid an expensive and distressing mistake. These criminals will try to prevent you replying to the person they are impersonating, that would give the game away. So they may try to hide the actual address where your reply is sent. Your local IT officer or the service desk staff at UIS will know how to check whether an email is legitimate by looking at additional information about the message. This is found in something called the "headers" which are usually hidden by most email apps. So If you receive an email asking you to make an urgent or unexpected payment then do ask your local IT staff to help. Another common financial scam comes from messages telling you there has been a last minute request for a change of financial details such as the bank sort code and account number, STOP! Phone the supplier directly to confirm this change. It is best to use the phone number on the supplier's website rather than one given in the message itself – this is another way of protecting yourself from a scam. Also do not provide your bank account, credit or debit card or any other financial details to someone without being certain of their identity. If you need advice don’t hesitate to ask your local IT department , Computer Officer or the UIS Service Desk for help. Please forward any suspicious emails to CERT@cam.ac.uk immediately or use our online form. The world of cyber crime is evolving everyday. Scammers use email in many ways which could pave the way for a future financial fraud. Anything unusual about an email message should wave a red flag.

STOP! THINK! Before you CLICK!

How do I recognise a legitimate login page from a fake one?

Scammers will target you with phishing emails. These may include a link taking you to a fake web site pretending to use the University's Raven login page. If you enter your University username and password scammers can use your account to commit frauds These could include sending phishing emails from your account or on behalf of senior staff if you manage their accounts. If a link in an email takes you to a Raven login page, BEFORE entering your password, make sure the web page is legitimate. This is what you SHOULD see and can TRUST. Look in the address bar, and note the start of the Raven login address, raven.cam.ac.uk Firstly make sure that the domain name is correct. The “domain” is the first part of the web address, for Raven this will always be raven.cam.ac.uk Another thing you can check is that the page asking for your password is secure. A secure site has a padlock icon in the address bar. Different browsers may show this in different ways. The Raven login screen always has a green padlock. If you click on the padlock, a drop down box will usually show the web site owners name. Use this to confirm whether the site is real, for Raven the owners' name is always "University of Cambridge". But spoof sites can also have a padlock, so it is important to check that a padlock is visible and that the web address is the one you expect. Look carefully at this web page, there are 2 address bars, one of them is a screenshot of the site it is impersonating. The other has a very different web address! If you had entered your password, your login details would have been stolen. What about web sites that do not use Raven? A common trick is for fake sites to use a domain name that looks similar, the one it imitates. This site looks as if it belongs to the BBC, but it doesn't. The BBC's website is bbc.co.uk. There is no "info-" in their real address. Similarly, this address for apple dot com looks suspicious – did you notice that there is a zero rather than an "o" is the word "com"? There are several other clues to help you spot bogus sites including: No contact details on the site. Intrusive adverts crowding the page or ones that are explicit or suggestive, or ads that ask you to take a survey. Check for safe browsing by entering the web address here: https://www.google.com/transparencyreport/safebrowsing/diagnostic/ If you think you have accidently entered your University details into a fake site, change your password immediately. Use the password application to do this, do ask for help from your local IT Officer or the UIS service desk 01223 762999 or email service-desk@uis.cam.ac.uk Forward anything suspect, the security team will block fake web login pages to protect you and other users. You can also report via your IT department, the service desk or through our web form. If you use Microsoft Online, the two login addresses look like this. And this. These are safe. We thought you’d like to know that!

STOP! THINK! Before you CLICK!

What is phishing, and what can I do about it?

Phishing is an attempt to extract your passwords, your personal data or University sensitive information, that is then used for criminal purposes. These scammers use email, social media, phone calls, or face to face methods to phish for information. Phishing is becoming more and more likely each day. It is estimated that in the University, there are around 1000 attacks an hour. These scam emails attempt to trick you to click on a link that takes you to a malicious web site, or opens an attachment that installs a virus. In March 2017, a scam email was sent to Cambridge users. Its aim was to trick people to enter their login information. A link in the email went to a mock up of a Raven login page. Unfortunately, a surprisingly large number of people clicked it and gave away their password. Only a few hours later, scammers logged on to one of these accounts and used it to send more scam emails. NEVER login to Raven via a link in an email So how do you recognise a scam email? Some are easy to spot, they offer you something "too good to be true" or inform you that you have won an academic prize; they may state that you have been given a bursary or extra grant funding. Delete them. Don't reply to this type of message and DON'T go to any link they include However, you are more likely to click on a malicious link if you are expecting invoices or shipping notifications. In these cases be particularly vigilant. But what if you are unsure? Take an example from Mags, a Cambridge user. Mags received an email attempting to get her to click on a link. But Mags was suspicious.


Instead she reported the incident to us. If Mags had clicked the link, a virus would have been installed on her computer. Well done Mags, and THANK YOU. We want to know about ANYTHING that looks suspicious! But how do you know if a link in an email is legitimate? Hovering your mouse over the link can reveal the scammers fake link. Also, look to see if the link in the browser's title bar shows a suspect or bogus link. What else should you look for? If you see an email from an address like this, it is highly likely to be a phishing scam. There are only a handful of University ROLE addresses ending “@cam.ac.uk” This is the actual address for HR, HR.Enquiries@admin.cam.ac.uk If you are unsure, view the genuine @cam addresses by looking in the UIS help pages. https://help.uis.cam.ac.uk/role-addresses These scam emails sometimes appear to originate from an @cam sender, but they don't. You can check for valid Cambridge users by searching the University Lookup directory. These days it is important to take much more care before responding to an email. If anything looks suspicious, rather than clicking an email link, consider going directly to the web site. Or give the sender a ring to make sure that it is a genuine request. If you think you have been deceived in any way, contact the UIS service desk, your local IT support or Computer Officer and change your password immediately if you are advised to do so.

STOP! THINK! Before you CLICK!

What is Spear phishing?

Spear phishing is a malicious email, phone call or face to face contact that is specifically directed at YOU.
Criminals target you by taking any publicly available information from your workplace and your posts on social media, such as Facebook or Twitter.
Scammers may also try to obtain information over the phone or face to face by impersonating a company or department you trust.
So what can you do to avoid being scammed? It’s important that you confirm the identity of people who ask for personal or sensitive information before you release it.
If you have areas in your work place that are not publically accessible, you may need to check that strangers are being accompanied by their host or are genuine visitors, by asking to see their visitors badge.
Another way scammers can target you is to trick you to install a bad app on your phone or tablet, giving them access to your contacts and private information. Only install apps via the official store.
Spear Phishing emails will often use your name and job title and may appear to come from a colleague, a friend or a business contact that you trust, say your HR department, HMRC or your bank.
But it isn't; it's from a criminal who wants to find out your credit card and bank account numbers, your passwords, the financial data on your computer, or sensitive information belonging to the University.
Spear phishing emails may ask you to open an attachment, click on a malicious link or to enter your login details into a fake site.
Opening an attachment can install a virus on your computer. You may be surprised to know that your anti-virus software MAY NOT always detect a malware attachment.
What can you do to mitigate being duped? There are a few things to look for. Check that the From and “Reply-To” email addresses look correct.
Check that web links point to expected destinations, mouse over the link to see if the pop up information matches the sending email address.
Check the phone number to see if it is correct or a scam. Go directly to the web site rather than trusting the number in the email.
Read the email signature carefully, does it look authentic? If in doubt, before you CLICK, contact the sender using details found elsewhere.
If you think you are the victim of a scam, gather as much information as you can, then report the incident immediately.
For face to face or phone scams, record the person’s name, telephone number, and what they are asking for.
If you have given away your UIS account details change your password immediately if you are advised to do so.
If you have given away your login details for other services such as your bank, contact your bank directly using details from their web site.
If you have clicked a link or opened an attachment and something unusual happens, a virus or other malware may have downloaded.
Act quickly! Pull the Internet cable out. Turn off your computer.
Contact your local IT support, Computer Officer or the UIS service desk. They are there to help.
STOP! THINK! Before you CLICK!

Choosing a strong and memorable password

Do all my computers and user accounts need a password? Yes they do! One of the commonest causes of hacked computers, tablets or phones is a non-existent or weak password. How do you choose a safe PASSWORD? Follow these simple guidelines. Firstly, your passwords should be as long as possible, use at least 12 characters. Passwords shouldn't consist of a single word in ANY language. Use both UPPER CASE & lower case characters. You can also use non alpha-numeric symbols. But don’t use easily sourced personal information, such as your birthday, the name of your pet, your CRSid, your postcode, or street name. Instead, DO USE a passphrase such as Apple Currents Chicken Armour. Using popular words such as your favourite movie are less safe. Random unassociated words are much stronger, so use them if you can remember them. For example, Unrelated words with punctuation, a sentence that is nonsense, the first letter of each word in a phrase or song title, but avoid well known quotes or sayings. Never give password information out through an unsolicited phone call or in an email. Don’t write them down or share with ANYONE. No, not even your PET! Please don’t use the same password for everything, especially not these: 123456, qwerty or password, which are the most commonly used passwords and very easy to crack! Use different passwords for your home and work computers. Be discreet while typing your password, don't let others see you key it in. Another thought, if you are travelling, remember to check that your password characters are available on foreign keyboards. If you use your own devices for work purposes such as a tablet or a phone or laptop ensure that these are secured by a password or pin. So, how do you recognise a good password? Not this one, Apple will take a computer micro seconds to crack! Whereas Apple-Curr will take one year, it has just five more characters. But it can still be improved. Apple-Currents-Chicken-Armour takes 72 decillion years to crack using today's tools! We haven't tested this but the principle holds, use a long passphrase. So, a question for you. Which password is the strongest? A) or B) My favourite ice cream is chutney? The correct answer is: B Remember, size does matter! and it is the LENGTH that is important. The longer and more unpredictable the better, but do keep it memorable! So how do you change your UIS password? Go here. https://password.csx.cam.ac.uk/ But what if you have passwords for other institutional systems? Go to your local IT Officer or contact the UIS service desk. You can check to see how safe your passwords are using the Password Management system. https://password.csx.cam.ac.uk/person/yourCRSidhere/change-passwd Can’t remember all your passwords? We all have that problem. Remember, don’t write them down! But don’t worry, there is a solution to this. Consider using a password manager application to store your passwords, but do be careful before you download any such software.

Contact your friendly local IT Department or Computer Officer for advice, or email the UIS Service Desk, service-desk@uis.cam.ac.uk